Description

In the documentation surrounding Blazor Hybrid apps with .NET MAUI it is stated that it not recommended to expose the access token to JavaScript running inside of the WebView. Instead it is suggested that network requests are intercepted so that the access token can be injected by the native app. This indeed seems to me to be the most secure way of doing it.

However it doesn't seem there's a good way to do this with the current API's. I've managed to get something to work on Android by wrapping the WebViewClient that is injected by the BlazorWebView control and overriding a couple of methods there, but this feels brittle as the WebViewClient provided by Blazor might override additional methods in the future. On iOS I haven't found a solution that works so far although I haven't looked into it deeply enough yet.

Public API Changes

var webView = new BlazorWebView();
webView.OnRequest += (sender, args) =>
{
  args.RequestHeaders.Add("Authorization", "Bearer " + token);
}

Intended Use-Case

It would be great if the BlazorWebView had some API that would allow us to intercept requests and inject additional request headers depending on the destination of the request for example. This would allow non-Blazor JavaScript to run inside of a Blazor Hybrid app while communicating with a backend somewhere that requires authentication.

Implementation Restrictions

• Android
  • Android does not directly allow "intercept-and-continue" for requests. The implementation is to rather notify you that a request is about to happen and you can either replace the whole request or do nothing and let the webview do it.
  • Android does not support custom schemes.
• iOS/Mac Catalyst
  • iOS and Mac Catalyst do NOT allow interception of http and https requests:
    https://developer.apple.com/documentation/webkit/wkwebviewconfiguration/seturlschemehandler(_:forurlscheme:)#parameters

    It is a programmer error to register a handler for a scheme WebKit already handles, such as https ...